>: > If a person keeps a directory of material
>: > regarding vulnerabilities, and it is not password protected or restricted
>: > in any way, are we to assume it may be private in some fashion?
>:>: Well... if it can be linked to from the front page or obtained by reading
>: a download ZIP archive, that's public to me.
>>How about if it is a directory with no auth required, but not linked off
>the public pages? ie: I send CVE http://blah/vulns/issue1.txt. A month
>later, you check the /vulns/ directory and notice issue2.txt which is not
>published anywhere. Is that fair game?
>>>If you put something on a web site, without authentication, then it is
without any doubt public. (Incidentally, this includes directories
without indexing enabled, pages that aren't linked to, etc.). In short,
if it's meant to be kept out of the public sphere don't put it on a web
site (or at least put some auth on it). In the case of bugzilla, it has
the ability to mark bugs as private so no one can see them... so there
really should be no excuse.
-Sullo
--
http://www.cirt.net/ | http://www.osvdb.org/